Bug 842006 - (CVE-2013-4344) VUL-1: CVE-2013-4344: XSA-65: xen: qemu SCSI REPORT LUNS buffer overflow
(CVE-2013-4344)
VUL-1: CVE-2013-4344: XSA-65: xen: qemu SCSI REPORT LUNS buffer overflow
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Andreas Färber
Security Team bot
maint:released:sle11-sp3:57056 maint...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-24 09:25 UTC by Matthias Weckbecker
Modified: 2015-04-22 11:06 UTC (History)
8 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Marcus Meissner 2013-10-03 08:06:37 UTC
public now, via oss-sec

             Xen Security Advisory CVE-2013-4344 / XSA-65
                              version 2

                 qemu SCSI REPORT LUNS buffer overflow

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

qemu contains a possible buffer overflow in the SCSI code that
implements the REPORT LUNS command.  The buffer can be overflowed by
creating a SCSI controller with more than 256 attached devices (such
as disks) and sending a REPORT LUNS command with a short transfer
buffer (less than 2056 bytes).

Xen systems do not use the qemu SCSI code by default.

IMPACT
======

On Xen systems where the device_model_args (or equivalent) parameters
have been used to configure a SCSI controller for a guest, with more
than 256 devices, a malicious guest might be able to escalate its
privilege to that of the qemu process in the host (typically root).

VULNERABLE SYSTEMS
==================

Only Xen systems whose administrators have deliberately configured HVM
guests to have emulated SCSI controllers, and where those guests are
provided with more than 256 devices, are vulnerable.

We are not aware of any such systems.

MITIGATION AND RESOLUTION
=========================

Please refer to the advisories and information from the Qemu project.

If, during the embargo period, you have any questions about this
advisory in the context of Xen, please contact the Xen Project
Security Team.

CREDITS
=======

This issue was reported to us by the Qemu project.
Comment 3 Bernhard Wiedemann 2014-01-24 17:00:20 UTC
This is an autogenerated message for OBS integration:
This bug (842006) was mentioned in
https://build.opensuse.org/request/show/215063 13.1+12.3 / qemu+qemu-linux-user
Comment 4 Alexander Bergmann 2014-04-01 13:47:54 UTC
@Charles

This is really a narrow-band scenario. Is it even applicable for any SLE Xen version? If not I would suggest to close this bug.
Comment 5 Charles Arnold 2014-04-01 22:11:24 UTC
(In reply to comment #4)
> @Charles
> 
> This is really a narrow-band scenario. Is it even applicable for any SLE Xen
> version? If not I would suggest to close this bug.

All SLE versions prior to SLE12 use the legacy qemu for HVM guests.
SLE11 SP3 allows the use of the newer qemu with HVM guests but it
is considered 'technical preview' and is not the default.
SLE12 Xen has the fix in its version of qemu.

It is applicable to the Xen version on os13.1 which uses qemu 1.3.1
for both HVM and PV guests. I have taken the patch for os13.1 and
SLE11 SP3 (even though it is not the default) just for completeness.
I'm ok with closing it.
Comment 6 Alexander Bergmann 2014-04-02 06:40:42 UTC
Closing as discussed.
Comment 12 Swamp Workflow Management 2014-05-08 13:53:51 UTC
Update released for: kvm, kvm-debuginfo, kvm-debugsource
Products:
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SERVER 11-SP3 (i386, s390x, x86_64)
Comment 13 Swamp Workflow Management 2014-05-08 17:04:45 UTC
SUSE-SU-2014:0623-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 812983,817593,842006,864802,870439
CVE References: CVE-2013-2016,CVE-2013-4344,CVE-2013-4541,CVE-2014-0142,CVE-2014-0143,CVE-2014-0144,CVE-2014-0145,CVE-2014-0146,CVE-2014-0147
Sources used:
SUSE Linux Enterprise Server 11 SP3 (src):    kvm-1.4.2-0.11.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    kvm-1.4.2-0.11.1
Comment 16 Swamp Workflow Management 2014-10-09 11:05:58 UTC
openSUSE-SU-2014:1279-1: An update that solves 10 vulnerabilities and has 8 fixes is now available.

Category: security (important)
Bug References: 798770,820873,833483,842006,858178,862608,864801,865682,867910,878841,880751,881900,891539,895798,895799,895802,896023,897657
CVE References: CVE-2013-4344,CVE-2013-4540,CVE-2014-2599,CVE-2014-3967,CVE-2014-3968,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188
Sources used:
openSUSE 12.3 (src):    xen-4.2.4_04-1.32.1
Comment 17 Swamp Workflow Management 2014-10-09 11:09:39 UTC
openSUSE-SU-2014:1281-1: An update that solves 10 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 798770,820873,842006,864801,865682,875668,878841,880751,882127,895798,895799,895802,896023,897657
CVE References: CVE-2013-4344,CVE-2013-4540,CVE-2014-3124,CVE-2014-3967,CVE-2014-3968,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188
Sources used:
openSUSE 13.1 (src):    xen-4.3.2_02-27.1
Comment 18 Swamp Workflow Management 2014-10-22 23:05:44 UTC
SUSE-SU-2014:1318-1: An update that solves 10 vulnerabilities and has 7 fixes is now available.

Category: security (moderate)
Bug References: 798770,833483,842006,858178,862608,864801,865682,867910,878841,880751,881900,882092,891539,895798,895799,895802,897657
CVE References: CVE-2013-4344,CVE-2013-4540,CVE-2014-2599,CVE-2014-3967,CVE-2014-3968,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    xen-4.2.4_04-0.9.1
SUSE Linux Enterprise Server 11 SP3 (src):    xen-4.2.4_04-0.9.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    xen-4.2.4_04-0.9.1
Comment 19 Johannes Segitz 2015-04-22 11:06:29 UTC
all updates released